Control units are electronic modules which, for instance, are used in motor vehicles for the control and regulation of functional sequences. For this purpose the control units are assigned to the particular components of the motor vehicle whose operation will be controlled with the aid of the assigned control unit. In order to do so, the control unit reads in data acquired by sensors and influences the operation by controlling actuators.
The described method is used in conjunction with an electronic security module, which is utilized in a control unit, especially in the automotive field, in security-relevant areas. In most applications in the security-relevant areas the manipulation-proof or non-monitorable storing of data is an essential requirement. Cryptographic keys, which are utilized in symmetrical or asymmetrical encryption methods, are used for this purpose.
The employed codes and encryption methods constitute secrets that need to be kept hidden from attackers. Other uses in security-relevant areas, for instance, concern the protection against unauthorized modifications, such as the storing of changed serial numbers or odometer readings, the prevention of unauthorized tuning measures, etc.
Hence it is necessary to provide secure environments in control units, in which functionalities can be executed that must have access to and/or modify these secrets. These environments normally have a secure computer unit or CPU, also referred to as a secure CPU, as well as a storage module. An environment of this type is called a hardware security module (HSM) in this text. It represents a high-performance module, which includes hardware and software components and improves the security and trustworthiness of embedded systems. The HSM in particular helps in protecting security-critical applications and data. The security costs are also able to be reduced by an HSM, while effective protection against attackers is offered at the same time. As far as the basic structure of an HSM is concerned, reference is made to FIG. 3.
It should be noted that the communication of control units in vehicles or in vehicle systems is not carried out in redundant fashion these days and is secured only by way of software plausibility checks. Attacks can therefore be undertaken with little effort and in an uncomplicated manner. For example, Trojans in the control unit are also able to manipulate secure or encrypted communications between control units. As a consequence, there is no redundancy provided in the fault case, and instead only restricted emergency running capabilities are available.